Yale faces barrage of cyberattacks

The University has faced a growing number of cyberattacks in recent months, according to Chief Information Security Officer Richard Mikelinich.

Yale Information Technology Services has detected several million hostile attacks over the past few months, as hackers use more innovative methods than ever before to probe Yale’s systems, Mikelinich said. Though he declined to comment specifically on strategies for keeping hackers at bay, he said ITS is committed to protecting the University’s networks. Still, computer science professors interviewed said that technology has not yet progressed to the point where a network can be completely secure.

“It’s hard to say who is behind all of this activity, but we believe it includes identity thieves, people or organizations seeking Yale’s intellectual property and spammers or pirates who want to use Yale computers to distribute or store their data,” Mikelinich said. “We are doing everything we can to protect Yale’s network while ensuring that legitimate information continues to flow freely, but I can’t be more specific without compromising Yale’s security efforts.”

Information security is a serious issue for all research universities, he said, because a great deal of valuable intellectual and personal information is housed on universities’ networks.

Criminal organizations may be behind some of the attacks because criminals can profit from selling access to compromised computers on the black market, said computer science professor Michael Fischer. Other probes may come from domestic and foreign spy agencies that seek to monitor Yale’s online communications, he said.

Mikelinich said the most common form of hostile behavior is scanning the Yale network for vulnerabilities. Other hacker strategies include using computers outside the University network to steal Yale data, injecting malicious code into Yale websites and databases and phishing — attempting to acquire personal information by posing as a trustworthy party.

“We are watching out for instances in which many computers from around the world suddenly begin connecting to a single Yale computer, which can be an indication of a malware infection or a serious attack on Yale’s network,” he said.

Fischer said some attacks on Yale’s networks have likely succeeded. Potential consequences of successful attacks include identity theft, monetary theft and intellectual property theft, he said.

Joan Feigenbaum, a computer science professor, said universities must balance the desire to create, use, store and transmit massive amounts of sensitive data with a mandate to keep this data secure. Schools often choose to prioritize information sharing at the expense of maximum security, she said.

Though professors interviewed said Yale must invest heavily in information security, Fischer recognized that “eliminating all security bugs from hardware and software is beyond our technological capabilities.” As computer systems gain more features and become increasingly complex, more opportunities for security flaws emerge, he added.

Byran Ford, a computer science professor, said some of his colleagues are involved in research that aims to use mathematical techniques to make software with no security vulnerabilities.

“Unfortunately, this whole area of technology is years and years from the point where any normal user would be able to run an email or operating system that has been proven secure and free of malware abilities,” he said.

In the meantime, users should focus on good “security hygiene practices” like avoiding suspicious websites, links and programs, Ford said.

Feigenbaum said the conversation about information security has shifted recently in light of Edward Snowden’s allegations against the National Security Agency.

“Apparently, the U.S. government has deliberately compromised some of the security technology that we rely on to repel cyber attacks — or perhaps I should say ‘relied on’ [in the] past tense,” she said. “It is not clear at this point whether we can actually rely on anything.”

According to ITS policy, no email from ITS will ever request sensitive account information such as a password.